Solving Group Policy Problems with the Group Policy Results Wizard

Sometimes referred to as Resultant Set of Policy (RSoP), in this Ask the Admin, I’ll show you how to determine which Group Policy settings are actually being applied to devices using the Group Policy Results Wizard.

Group Policy Results is a feature of the Group Policy Management Console (GPMC), and allows administrators to scan the local or remote machines, and users to determine which Group Policy objects (GPOs) and settings are being applied. This differs from Group Policy Modelling, which shows the result of applying a set of GPOs without making any changes to users or machines.

The Group Policy Results Wizard helps system administrators figure out what settings are really being applied to devices, which can be a difficult task when you consider that multiple GPOs might be linked at different levels of the AD hierarchy, then add different processing options and enforcement settings, along with WMI filters, and it may not be immediately clear what settings are being applied.

Group Policy Management Console

The Group Policy Management Console is installed by default on all Active Directory domain controllers (DCs). Alternatively, GPMC is installed as part of the Remote Server Administration Tools (RSAT) for Windows Server 2012 R2, which are supported on client and server versions of Windows. For details on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase.

Setting Up Your Environment for RSoP

Before analyzing remote devices, you’ll need to make sure that the relevant inbound Windows Firewall rules are enabled for Group Policy Results. Windows Firewall includes a set of built-in rules for Group Policy Results that need to be enabled for GPMC to make connections to remote machines. The Windows Firewall rules are Remote Event Log Management (NP-in), Remote Event Log Management (RPC), Remote Event Log Management (RPC-EPMAP), and Windows Management Instrumentation (WMI-in).

Alternatively, you can quickly create a GPO with the necessary settings, and link it your domain so that it applies to all devices, using the PowerShell cmdlet below. You’ll need to log in to a domain controller as a domain administrator, or a device that has the Active Directory module for PowerShell installed, to run the cmdlet. Don’t forget to replace dc=ad,dc=contoso,dc=com in the –target value with the CN of your domain name.

On the User Selection screen, if you want to also collect user results, check Select a specific user and then select a user from the box. The box only displays users that have logged in previously to the remote device.

If you’re not interested in collecting the results of user policy, check Do not display user policy settings in the results (display computer policy settings only). Click Next to continue.

Check the configured settings on the Summary of Selections screen and click Next.

Click Finish in the Group Policy Results Wizard window.

Note that at this point, you have the option to rename the results report in the left pane, or you can just press ENTER to accept the default name.

The Report

On the Summary tab in the right pane of GPMC, you should see a message saying No Errors Detected for both computer and user policy. Now switch to the Details tab. Here you’ll find the nitty gritty of the report. In this example, I can see information about GPO processing at the top of the Details tab. The GPOs applied to the device, in this case CONTOSOSRV1, are listed along with any WMI filters that are applied. Under Computer Details and User Details respectively, you can expand the relevant sections to see the actual settings that are applied to the remote device.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

Subscribe to Petri NewslettersOffice 365 Insider

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.